InTrust uses indexing on repositories for fast searching and data retrieval. Indexing is optional, but it gives you the following benefits:
Centera-based repositories currently do not support indexing.
Note that repository indexing is a resource-intensive activity. To increase indexing performance, set up a powerful dedicated computer specifically for this purpose, as described in the Dedicated Indexing topic.
When you view the contents of a repository in Repository Viewer, the most recent events are found first.
|
Caution: In InTrust versions prior to 10.4, events were not prioritized by how recent they are. Events gathered to an indexed repository by InTrust 10.4 or earlier will not be prioritized in the current version of Repository Viewer—they will be found in arbitrary order. However, in a non-indexed repository events will be prioritized correctly, even though searches will be slower. |
Performance tests conducted by InTrust quality control on repositories with typical heterogeneous data show the following results.
Number of processors | Number of agents | Repository growth rate |
---|---|---|
4 | 200 | 36MB/sec |
8 | 300 | 54MB/sec |
Number of processors | Number of agents | Repository growth rate |
---|---|---|
4 | 500 | 90MB/sec |
8 | 800 | 144MB/sec |
16 | 1100 | 198MB/sec |
Number of agents | Repository growth per minute, bytes |
Repository growth per hour, bytes |
Repository growth per day, bytes |
Repository growth per month, bytes |
---|---|---|---|---|
100 | 9,750,000 | 585,000,000 | 14,040,000,000 | 421,200,000,000 |
500 | 48,750,000 | 2,925,000,000 | 70,200,000,000 | 2,106,000,000,000 |
900 | 87,750,000 | 5,265,000,000 | 126,360,000,000 | 3,790,800,000,000 |
The typical hardware requirements for repository indexing are outlined above. If the conditions in your environment differ—for example, if the indexing computers also perform a lot of audit data gathering or monitor a lot of sites—then you need to adjust your estimates.
To estimate the required disk space, you need to know how much the actual audit data takes up. For that, the most readily available solution is to use the dir command with the /s switch.
The size of the fully indexed repository is approximately twice the data size.
When you configure indexing, it is useful to track indexing-related events in the InTrust Server event log. For details about these events, see Events from InTrust Repository Services. The following tips will only indicate the event IDs, which you can look up in that topic.
These warnings mean the number of files that haven't been indexed has exceeded a threshold value. This warning normally indicates a temporary state. For example, it may keep recurring for only four hours a day.
This error indicates that the InTrust server's event queue for a particular agent has overflowed. Reduce the activity of that agent.
The average disk queue length on the indexing InTrust server's disk and on the disk that contains the repository should not exceed the value 2. A higher number means the disk is a bottleneck resource.
Make sure you have enough bandwidth to accommodate the traffic generated by all the agents that talk to the InTrust server.
If a repository is created in InTrust Deployment Manager, indexing is enabled automatically for it, but if it is created in InTrust Manager, indexing is disabled by default. To configure indexing options for an existing repository, open its properties in InTrust Manager and go to the Indexing tab.
This tab lets you do the following:
Make sure that Active Directory delegation is enabled for the following:
If you use InTrust Manager, the recommended setup is to have more than one repository:
A freshly-deployed default repository is indexed. In an upgraded InTrust deployment, all repositories keep their indexing settings after the upgrade, so if indexing was disabled prior to the upgrade, it is not enabled automatically.
To keep the short-term repository current, set up regular repository cleanup jobs that clear all data older than specified. To move data from the short-term repository to the archive, use regular cleanup jobs that occur straight after the consolidation.
This configuration helps achieve the following:
The size of your short-term repository depends on your auditing needs. To prevent indexing from slowing down the auditing workflow, you may want to consider the suggestions in the Dedicated Indexing topic.
© ALL RIGHTS RESERVED. Términos de uso Privacidad Cookie Preference Center